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Abstract 



Given a prime p, an elliptic curve £/¥p over the finite field ¥p of p 
elements and a binary linear recurrence sequence {u{n))^^^ of order r, 
we study the distribution of the sequence of points 



r-l 



Y^u{n+j)Pj, n = l,...,N, 



j=0 



on average over all possible choices of Fp-rational points Pi,...,Pr 
on £. For a sufficiently large we improve and generalise a previous 
result in this direction due to E. El Mahassni. 

1 Introduction 

The knapsack generator or subset sum generator is a pseudorandom number 
generator introduced by Rueppel and Massey and studied in |T2]; see 
also [ini Section 6.3.2] and [131 Section 3.7.9]. It is defined as follows. For an 
integer m > 1 we denote by the residue ring modulo m. Let ('u(n))^-^ 
be a linear recurrence sequence of order r over the field of two elements F2, 
see [9", Chapter 8]. Given an r-dimensional vector z = {zq, . . . , Zr^i) G of 
weights, we generate a sequence of pseudorandom elements of by 



For cryptographic applications, it is usually recommended to use a linear 
recurrence sequence of maximal period r = 2*" — 1 and also the modulus m = 
T" . Although the results of O |8] suggest that this generator should be used 
with care, no major attack against it is known. In [21 E] results on the joint 
uniform distribution of several consecutive elements of this generator have 
been obtained (on average over all r-dimensional vectors z = (zq, • • • , -Zr-i) G 



El Mahassni [1] has recently considered the elliptic curve subset sum gen- 
erator and obtained some uniformity of distribution results for this generator. 
More precisely, let p be a prime and let S be an elliptic curve over the finite 
field Fp of p elements. Following [3], given a vector P = (Pq, • • • ,Pr-i) ^ 





(1) 



j=0 
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S{¥pY of r points from the group £{¥p) of Fp-rational points on £ (see 
for a background on elliptic curves), we define the sequence: 



r-l 



Vp{n) = Y,<n + j)P,, n = l,2,..., (2) 

j=0 

where the summation symbol refers to the group operation on S; see also [S]. 
If we fix any function / : S(¥p) — )■ ¥p, we can define the output of the 
elliptic curve subset sum generator to be the sequence (/(Vp(ri))). One of 
the simplest and most natural choices for the function / has been considered 
in [1], namely f{P) = x{P), the a;-coordinate of any affine point P G S{¥p). 
(We can define x{0) = for the point at infinity O.) With this choice for the 
function /, it is known that for almost all choices of P = {Pq, . . . , Pr-i) G 
S{¥pY, the sequence x(yp{n))/p, n = 1,...,N, is uniformly distributed 
modulo 1 for a wide range of A^. 

In this paper we improve the result of [1] on the distribution of the se- 
quence X (Vp(n)) /p, n = 1, . . . , N, in the case when is sufficiently large, 
by adding some combinatorial arguments to the existing techniques. We also 
establish results on the distribution of the s-dimensional vectors 

'x jVAn)) X {Vpjn + s - 

, n = l,...,N, (3) 

P P J 

for any s > 2. (Note that we always assume that ¥p is represented by the set 
{0, . . . ,p — 1}, so the vectors ([3]) belong to the s-dimensional unit cube.) The 
methods in [3] do not seem to extend to this case. We note that for small 
values of N the results of [4j remain the only ones known for the elliptic curve 
subset sum generator. In particular, full analogues of the results of [2] are 
still not known. 

Throughout the paper, the implied constants in symbols 'O' and '<^' may 
depend on the integer parameter s. We recall that U <^ V and U = 0{V) 
are both equivalent to the inequality \U\ < cV with some constant c > 0. 

2 Preliminaries 

2.1 Discrepancy and Exponential Sums 

For a real z and an integer m > 1 we use the notation 

e{z) = exp{2iTiz) and Gm{z) = exp{2TTiz/'m). 
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For a sequence of points 

r = (70,n, • • • ,7s-l,n)i)Ll (4) 

in the s-dimensional unit cube, we denote its discrepancy by Dr- That is, 

MB) 



Dr = sup 

BC[0,1)= 



151 



N 

where 7r(-B) is the number of points of the sequence F in the box 
B = K, /3o) X . . . X [as-i, Ps-i) C [0, 1)^ 

of volume \B\ and the supremum is taken over all such boxes. 

As we have mentioned, one of our basic tools to study the uniformity of 
distribution is the Koksma-Sziisz inequality, which we present in a slightly 
weaker form than that given by Theorem 1.21 of 

For an integer vector a = (oq, . . . , as~i) G we define 



max \aJ, r(a) = \ \ max\\aJ, 1}. 

iy=0,...,s-l J-J. J 



u=0 



Lemma 1. For any integer L > 1 and any sequence T of N points (jl]) for 
the discrepancy Dr we have 



Dr<t:- + — y — 



L N ^ r(a) 

0<|a|<L ^ ' 



N / s-l 

^ e I ^ aj,7^,„ 

n=l \u=0 



where the sum is taken over all integer vectors a = (oq, . . . , a^-i) G with 
< |a| < L. 

For estimation of the corresponding exponential sums with various se- 
quences of pseudorandom numbers, the following special case of the bound 
of Bombieri [T] is used. 

Lemma 2. For any rational function /(X, F) G Fp(X, F) of degree d which 
is not constant on an elliptic £ over Fp, the hound 

holds, where ^* means the the poles of f{X,Y) are excluded from the sum- 
mation. 
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We need the orthogonality relation: 



m— 1 
j?=0 



0, if A ^ (mod m), 
m, if A = (mod m). 



(5) 



We also make use of the inequality (which is immediate from [TJ Bound (8.6)]) 



m—l 

E 

ri=Q 



M 



A=l 



^ mlogm, 



(6) 



which holds for any integers m and M with 1 < M < m. 



2.2 Combinatorial Estimates 

Let r and s be positive integers such that s < r. Write ei, . . . ,es for the 
standard orthogonal basis vectors of length s and let 0^ = (0, . . . , 0) be the s- 
dimensional zero vector. We say that a pair of r-dimensional binary vectors 
X = {xq, . . . , Xr-i) and y = {yo, . . . , i/r-i) is s-good if for all h = 1, . . . , s, 
there exists at least one pair 0<i,j<r — s such that 

and 

iVi, Vi+i, ■ ■ ■ , Vi+s-i) = Os, iVj, Vj+i, . . . , Vj+s-i) = Gh. 

We say that a pair (x, y) is s-had if it is not s-good. We wish to obtain a 
bound on the number /s(r) of s-bad pairs of vectors of length r. 

Lemma 3. Let s he a fixed positive integer. The number fs{r) of s -bad pairs 
of binary vectors of length r is at most 

fsir) < 2sA^-'a: 

where 

a, = (4^-l)^/\ 

Proof We say that a pair (x, y) is (s, h)-bad with respect to x if there exists 
no integer i with < z < r — s such that (xjjXj+i, . . . ,Xi^s-i) = and 
(^j, . . . , ?/j+s_i) = 0. Furthermore, we say that a pair (x, y) is s-bad 
with respect to x if and only if it is (s, h)-ha,d with respect to x for some h. 
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Note that a pair (x, y) is s-bad if and only if for some h the pair is (s, h)-had 
with respect to either x or y. 

Since there are at most s possibihties for h, and the roles of x and y in 
the definition of s-bad pairs are completely symmetrical, our bound follows 
if we can prove that for any s and h the number of (s, /i)-bad pairs with 
respect to x is at most i'^'^al- 

Let h be fixed. We bound the number of [s, h)-had pairs (x, y) with 
respect to x as follows. For an integer m = 0, . . . , [r/sj — 1, there are at 
most 2^* — 1 possibilities for the pair 

((■^ms; -^ms+l; • • • ; -^ms+s— l)) (Z/ms; Vms+li ■ ■ ■ i l)) 

of subsequences, since this pair of subsequences cannot be equal to (e/i,0). 
So there are at most (2^^* — 1) L''/*J < (2^^^ — 1)'"/'' = a[. possibilities for the pair 

((a;o, xi, . . . , XLr/sjs-i), (yo, Z/l, • • • , y\r/s\s~l))- 

But r — [r/sj s < s — 1, and so there are at most 4**~^ possibilities for the 
last r — [r/sj s positions of x and y. This establishes our bound. □ 

In particular, since < 4, we see from Lemma [3] that /s(r) = o(4'~) as 
r — )• oo with s fixed (and so s-bad pairs are asymptotically rare). 

We remark that it is not too difficult to see that is bounded below 
by Csf3l for some positive constants Cg > and f3s depending only on s. To see 
this we may use the Perron-Frobenius Theorem, together with the fact that 
the number of (s, h)-had pairs with respect to x is equal to the number of 
walks of length r — s in a certain directed graph (namely the tensor product of 
two copies of a span s binary de Bruijn graph, with a single vertex removed). 
Indeed, for small values of s computer calculations based on this framework 
show that /s(r) ~ Csf3l where the value of /3s is given in the following table 
(to 5 decimal places), with the value of given by our upper bound included 
for comparison: 



s 


2 


3 


4 


5 


6 


as 


3.87298 


3.97906 


3.99609 


3.99922 


3.99984 


f3s 


3.73205 


3.93947 


3.98444 


3.99615 


3.99903 



The computer calculations show that the pairs that are (s, h)-ha.d where 
h = [(s — l)/2j and h = \{s ~ l)/2] provide the dominant term for /s(r) for 
s < 6. 
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3 Main Result 



3.1 One Dimensional Distribution 



For P = (Pq, . . . , Pr-i) £ ^{^pY, we denote by Dp{N) the discrepancy of 
the points 

'x{Vp{n)y 



P 



n = 1, 



N. 



Theorem 4. Let the linear recurrence sequence {u{n))^^^ be purely periodic 
with period r and order r = 0{p^^^) and let its characteristic polynomial be 
irreducible over ¥2. Then for any 6 > 0, and for all except 0{Sp'^) choices 
for P G £{¥pY, for alll< N <t, we have 

Dp{N) < 6-^ [N'^'^ + y/^N-^p-^/^ + (logr)2logp. 

Proof. From Lemma [1], used with L = p, we derive 

N 



Z^p(iV)«i + i- V i- 
^ ^ p N \a\ 

0<|a|<p ' ' 



^ep(ax(Vp(n))) 



n=l 



Let A*"^ = min{2^, r}, /i = 0, 1, Define k by the inequahty N^-i < N < 

Nk, that is, k = [loggiV]. Then from ([5]) we derive 



N 



J2 ep {ax{Vp{n))) = ^J2J2J2^p («a;(Vp(n))) e^v, (r?(n - A)) . 



n=l 



n=l A=l v=0 



Hence, 



(7) 



where 



, Nk 



0<|a|<p »)=0 



N 



A=l 



Nk 



Eep(aa;(Vp(n)))e^, W 



The celebrated Hasse bound shows that 



(8) 
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as we have assumed that r = 0(p^/^). Applying the Cauchy inequahty, we 
derive 



E 



^ep{ax{Vp{n)))eN^ (rjn) 



n=l 



n=l 



Pe£(Fp)'- 

^prj^e^^{r^{n-l)) e, (a (x(I^pH) - x(yp(/)))) . 

n,l=l FeS{¥pY 

For the case n = I, we estimate the inner sum trivially as {^S{¥p)Y = 0{p^). 

We split the rest of the sum into two sums: the first over distinct 1-bad 
pairs of vectors 



...,u{n + r -I)), {u{l) ...,u{l + r- 1))) 



(9) 



and the second over 1-good pairs of vectors ([9]). 

Let Br be the set of pairs of indices (n, I) such that the pair of vectors ([9]) 
is 1-bad, that is the set of vectors for which u{n + i) > u{l + i) for all 
i = 0, . . . , r — 1, or u{n + i) < u{l + i) for all z = 0, . . . , r — 1. As the 
vectors are distinct, there exists an index i = 0, . . . , r — 1 such that we have 
for example u{n + i) > u{l + i), which means that Vp{l) does not depend 
on the point Pj. The Bombieri bound given by Lemma [2] in the case when 
/(X, Y) = X shows that for any fixed Ci G S(¥p) and C2 G ¥p 

ep(ax(ci + P) + C2) < 1+ ep{ax{ci+Pi) + C2) = 0{p^/^). 

P€S{¥p) Pe£(Fp),P^-ci 

So we bound our inner sum by summing over the point Pi G S{¥p) to obtain 

J2 ep(a(x(\/pH)-x(\/p(/)))) 

Pef(Fp)'- 

= E E ep{a{x{F^{P,) + P,)-x{Fi{Pm=0{f 

Pze£'(Fp)'-i p^e£{¥p) 

where Pj is the vector obtained from P by removing the point Pj, and 
Fm{Pi) £ ^i^p) denotes a point on S that depends only on m and Pj. 
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It remains to consider the case of n, I ^ Br- In this case, there exist two 
indices i, j = 0, . . . ,r — 1 such that we have for example u{n + i) > u{l + i) 
and u{n + i) < u{l + j). Thus Vp(/) does not depend on the point Pi and 
Vp{n) does not depend on the point Pj. Using Lemma [2] again, but this 
time applied for the sums over the points Pi and Pj and ([8]), the inner sum 
becomes 

J2 e,(a(x(FpH)-x(\/p(/)))) 

= Z]p,jG£-(Fp)'-2 J2p,e£{¥p) ('^ {^i^n(Pi,j) + Pi))) 

Ep,e^(F,) ((-ax(G,(P,,) + Pj))) = 0{f-'), 

where Pij is the vector obtained from P by removing the points Pj and Pj, 
and Gm{Pi,j) G ^{^p) denotes a point on S that depends only on m and Pij- 
Putting everything together, by Lemma |3l we obtain 

2 




^ep(ax(Vp(n)))eiv,. (w) 



n=l 



< P 



N,. 



Nk 



v 



n,l=l 



n,l=l 



and thus 

E 

Using ([( 



Nk 



^ep(aa;(\/p(n)))e^^ W 



n=l 

I, we obtain 



PG£-(Fp)'- 



E rE 

0<|a|<p ' ' rj=0 



N 



J2 f^Nk i-v^) 



A=l 



« (iV.^V + S^'/y-i/^ + Nkp'-'/^) Nk log iVfc logp 
< (iVf/ V + iVfcS'-/ y-i/^ + iVy-1/2) log r logp. 



Thus, for each k = 1, . . . , [log r] , the inequahty 

Ap(A;) > 6-' [nI'^ + iVfcS'' + iVfcV^') (logr)^ logp (10) 

holds for at most 0[6]f j logr) vectors P G £^(Fp)'". Therefore, the number of 
vectors P G £^(Fp)^ for which ( ITO|) holds for at least one A; = 1, . . . , [logr] is 
0(5p'"). For all the other points P G £^(Fp)'', by ([7]) and taking into account 
that = 2A^fc-i < 2N, we get 

« r 1 (iV-i/2 + s'-Z^iV- V'/' + P"'/') (log r)2 log p, 
which concludes the proof. □ 
We note that El Mahassni [4j obtained the bound 

under the same conditions. Say, in the most interesting case of sequences of 
maximal period r = 2^ — 1 and r chosen so that 2'" ^ p ^ 2^', Theorem H] 
gives a stronger result for 

^ > ^ > ^0.51og3/log2 ^ ^0.79248... _ 

3.2 Multidimensional Distribution 

For P = (Pq, • • • ,Pr-i) € ^(If'^p)^; "we denote by Dp s{N) the s-dimensional 
discrepancy of the points ([3]). 

Theorem 5. Let the linear recurrence sequence {u{n))^^^ be purely periodic 
with period r and order r = 0{p^^'^) and let its characteristic polynomial be 
irreducible over ¥2. Then for any 6 > 0, and for all except 0{6p^) choices 
for P G £i¥pY, for alll<N <t, we have 

Dp,siN) < {N-^/Hogp + p-'^Hogp + a'~J''N-\\ogpy) (logr)2, 

where the implied constant depends only on s and ag is as in Lemma 0. 
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Proof. Exactly as in the proof of Theorem HI by Lemma [T] we get 

I^p,.(iV)«^ + ^Ap,.(fc), 



[12) 



where 



^ r(a) ^ 

0<|a|<p ^ ' V=0 

a=(ai,...,as)GZ' 



AT 



A=l 



's-1 



J2^P\Y1 (^MVpin + Jy)) J e^, {r]n) 

n=l \i/=0 / 

We further spht the sum Ap^s{k) into two parts Ap.s^i(A;) and Ap^s,2(k) 
where the summation in Aj>^s,i{k) is taken over the vectors a = (oi, . . . , a^) e 
Z'^ with only one non-zero component and Ap ^ 2(^) includes all other terms. 
Thus 

Ap,,(A;) = Ap,,,i(fc) + Ap,,,2(A:). (13) 
As in the proof of Theorem H] we obtain 

J2 Ap,.,i(^) « {n'JV + N,y'^f-'l' + Nlf-'l^) logr logp. (14) 

Pe£^(Fp)'- 

Now, let As be the set of the vectors a = (ai, . . . , Os) G with < 
|a| < p and with at least two nonzero components. For sl E As, applying the 
Cauchy inequality and Hasse bound ([H]), we derive 



s-1 



n=l \u=0 



's-1 



Nk 

<P'5^ejv,(r/(n-0) 



E Gp E a^x{Vp{n + z/)) e^^ (rjn) 



n=l \u=0 



nl=l 



s-l 



ep(5^a,(x(rp(n + z/))-x(Vp(/ + z/)))). 



,!/=0 
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Now, as in Theorem m we split the sum into two sums, one over pairs 
(n, /) such that the pair of vectors is s-bad and one over s-good pairs. 

Let Br,s be the set of pairs of indices {n,l) such that the pair of vectors ([9]) 
is s-bad. For (n, /) G Br^s, as in the proof of Theorem |U we estimate the inner 
sum over P trivially as 0{p'^). 

It remains to consider the case of {n,l) ^ Br^s- Since a E As there exist 
at least two distinct indices i.j = 0, . . . , s — 1 such that a^, aj ^ 0. Since 
(n, /) ^ Br,s, there exist two indices ii,i2 = 0, . . . ,r — s such that 

{u{n + ii), . . . , u{n + ii + s - 1)) = ej, 
{u{l + ii), . . . ,u{l + ii + s - 1)) = Os, 

and 

{u{n + 12),. . u{n + ^2 + s - 1)) = Os, 
{u{l + 12) ■, . . . ■,u{l + 12 + s - I)) = ej. 

Similarly, there exist two indices ji,j2 = 0, 1, . . . , r — s such that 

{u{n + ji), . . . , u{n + ji + s- 1)) = e^, 

and 

{u{n + J2), • • • , u{n + j2 + s- 1)) = Os, 

{u{l+j2),...,u{l+j2 + S- 1)) = Bj. 

When z/ G {1, 2, . . . , s} \ {i,j}, the equations above show that 

u{n + u + = u{n + v + 12) = u{n + v + ji) = u{n + u + j2) = 0, 

and so Vp{n + v) does not depend on any of Pi-^, Pi^, Pj^^, Pj^. Similarly, 
Vp{l + u) does not depend on any of Pj^, Pi^, Pj^^, Pj^- 
When v = i (so z/ 7^ j), the equations above show that 

u{n + u + ii) = 1 and u{n + u + 12) = u{n + u + ji) = u{n + z/ + J2) = 0, 

so V-p{n + z/) = Vp(n + i) depends on Pj^, but does not depend on any of 
Pi^, Pj-i^, Pj^. Similarly Vp{l + i) depends on Pi^, but none of Pi^^, Pj-^, Pj^; 
Vp{n + j) depends on P^j, but none of Pjj, Pjj, Pj^, and Vp{l + j) depends on 
Pj2, but none of Pi^, Pi^, Pj^. 
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Let Pj^^j2ji,j2 be the vector obtained from P after discarding the points 
Pjj , Pjj , Pj^ and Pj2 . We can apply Lemma [2] to our inner sum as in the one 
dimensional case, but this time applied for four sums over the points Pj^, Pjj, 
Pjj and to obtain 



s-l 



J2 ep ^a,(x(\/p(n + z/)) -x(\/p(/ + z/))) 

~ ^ ] (^™,«(Pii,i2,ji,j2)) 

P,ie£:(Fp) 

h,i2,jl,j2 

= o [f-' ii/'Y) = o if-') , 



where 



s-l 



^n,/(P^l,^2,ilJ2) = (x(\/p(n + Z/)) - x(Vp(/ + Z/))) 



u=0 



depends only on n, I and Pii,i2ji,i2 GmiPij) G i^(Fp) denotes a point on 
S{¥p) that depends only on m and Pjj-. (Note that we are using the fact 
that Oj and aj are non-zero at this point.) 

Putting everything together, by Lemma El we obtain 



E 



Nk /s-l \ 

J2^P\Y1 «^2;(\/p(n + z/)) j e^^ {r]n) 

n=l \u=0 J 
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and thus 

E 



n=l \u=0 / 



Now using we obtain 



N 



r a 

0<|a|<p ^ ' v=o A=l 
a=(ai,...,as)GZ^ 



« (iVfcp'-i + a^/y ) iVfc logiVfc(logp)^ 
« (iVfcV-' + «l/'Ar,p^) logr(logp)^ 

Thus, from (fT3!) and (fT4|) . we obtain the inequahty 
E Ap,s,(^) « (iVf/V + iVfc3'-/y-i/^ + iV,V-V2jiogrlogp 

PG£-(Fp)'- 

+ + al/'N.f) logr(logp)^ 

< (^f^V + A^fcV"'^') log r logp 

+ a:/^Nkp' log T{\ogpy. 

Hence, for each k = 1, . . . , [logr] , we see that the inequahty 

Ap,,(A;) > (iVf'logp + iV,V'/'logp + </'iV,(logp)^) (logr)^ (15) 

holds for at most 0{6p^/ logr) vectors P G S{¥pY. Therefore, the number of 
vectors P G S{¥pY for which (fT5|) holds for at least one k = 1, . . . , [logr] is 
0{6p^). For all the other points P G £(¥pY, by (fT2|) and taking into account 
that Nk = 2Nk^i < 2N, as in the proof of Theorem H] we get 

Dp,s{N) < (iV-^/2logp + p-'/'logp + a^/'Ar-i(logp)") (logr)^ 

which concludes the proof. □ 
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Again, in the most interesting case of sequences of maximal period r 
2'' — 1 and r chosen so that 2*" ^ p ^ 2^ , Theorem O is nontrivial for 



for any fixed e > and a sufficiently large p, where 

log a. ^ ^ 
' 2 log 2 



4 Comments 

We remark that the proofs of Theorems H] and [5] depend only on the fact 
that the binary vectors {u{n + 1), . . . ,u{n + r)), n = 1, . . . , r, are pairwise 
distinct. Thus the same results hold for many other sequences {u{n))^^-^^, 
for example for sequences generated by non-linear recurrence relations. In 
fact, in this generality, these results are new even in the case of the classical 
subset sum generator ([T]) over a residue ring (as the proof in [2] applies 
only to linear recurrence sequences). Our method also applies to bounds 
of multiplicative character sums with the sequence ([1]) on average over the 
vectors z = (2:0, • • • , ^r-l) ^ ^m- 

On the other hand, it is still an open problem to obtain nontrivial results 
about the multidimensional distribution of the elliptic curve subset sum gen- 
erator ([2]) on short segments. Note that the bound (|TT1) is nontrivial starting 
from the values of of order (log r)^ (log p)^ (which can be further reduced 
by using the approach of [15]). 
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